Thoughts on ISO 27001

So in my start-up introDus ApS, we're working on getting compliant with ISO 27001, making audits and much more. This post is basically my thoughts on the process coming into ISO standards as totally and utterly newbie.

In the future i will add a checklist post where i share standard documents for free as we make them for our company i will share it with everyone because it seems like a jungle

Enter the ISO jungle

Wtf is an ISO standard, where to start, why are we doing it and what is the difference of compliance and certification, was my initial questions. From those questions came loads more.

What is the difference of compliance and certification

The difference lies in self-proclamation of compliance or a third-party compliance proclamation. The third-party compliance usually cost an insane amount of money compared to the job they actually do.

Compliance is basically that your 100% adheres to all the requirements in the standard, for the ISO 27001 there are a series of documentation requirements and a series of requirements that require actions to be done.

Why are we doing this to ourselves?

Essentially you own a restaurant and you like your customers to come back as you usually do, you wanna make sure that the wholesaler complies with, (eg. 22000 Food safety management) so you don't get infected food. And if they comply with the ISO standard they are following a set of rules that makes it quite unlikely that a bad incident will happen.

So when your client requires you to comply with ISO 27001 it's a message of make sure you take the right precautions to secure their information.

Whats next?

My next task is to read up on ISO 27001, make a documentation toolkit and last but not least make a simple step by step list to make us compliant. And make it very easy for us to get certified if our clients require it.